Removing attribute_accessor docs duplication #6212

Closed
wants to merge 675 commits into
from

Conversation

Projects
None yet
@frodsan
Contributor

frodsan commented May 8, 2012

/cc @vijaydev

spastorino and others added some commits Mar 3, 2012

CSS fix for guides. Closing #5028 [ci skip]
In Ubuntu Chrome, in the last lines of code blocks, the underscore isn't
visible. Increasing the line height slightly seems to fix this. This
problem doesn't exist in Firefox even on Ubuntu. Too lazy to test in
any other OS-browser combo :)
fix associations when using per class databases
would get ConnectionNotEstablished error because it always tried to use
ActiveRecord::Base's connection, even though it should be using the connection
of the model whose context we're operating in
Whitelist all attribute assignment by default.
Change the default for newly generated applications to whitelist all attribute assignment.  Also update the generated model classes so users are reminded of the importance of attr_accessible.
@yaroslav

This comment has been minimized.

Show comment
Hide comment
@yaroslav

yaroslav Mar 4, 2012

Contributor

Thanks! Guess the change in config/application.rb would be enough, but people tend to create a shitstorm instead.

Contributor

yaroslav commented on 06a3a8a Mar 4, 2012

Thanks! Guess the change in config/application.rb would be enough, but people tend to create a shitstorm instead.

This comment has been minimized.

Show comment
Hide comment
@parndt

parndt Mar 4, 2012

Contributor

Was this really intended for 3-2-stable?

Contributor

parndt replied Mar 4, 2012

Was this really intended for 3-2-stable?

This comment has been minimized.

Show comment
Hide comment
@larzconwell

larzconwell Mar 4, 2012

Contributor

Looks great! I like it!

Contributor

larzconwell replied Mar 4, 2012

Looks great! I like it!

This comment has been minimized.

Show comment
Hide comment
@fnando

fnando Mar 4, 2012

Contributor

\m/

Contributor

fnando replied Mar 4, 2012

\m/

This comment has been minimized.

Show comment
Hide comment

Awesome.

This comment has been minimized.

Show comment
Hide comment
@andyvb

andyvb Mar 7, 2012

@stevenh512 thanks for the info! Looks like :without_protection is what I'm looking for.

@stevenh512 thanks for the info! Looks like :without_protection is what I'm looking for.

This comment has been minimized.

Show comment
Hide comment
@stevenh512

stevenh512 Mar 7, 2012

Contributor

@andyvb I was thinking more of the scoped attr_accessible that Rails 3.1 gives us (attr_accessible :attr1, :attr2, :as => :admin), but yeah, :without_protection would also work and would probably be more backwards compatible. For 3.0 and earlier there's also a Railscast that teaches how to do something similar to 3.1's scoped attr_accessible.

Contributor

stevenh512 replied Mar 7, 2012

@andyvb I was thinking more of the scoped attr_accessible that Rails 3.1 gives us (attr_accessible :attr1, :attr2, :as => :admin), but yeah, :without_protection would also work and would probably be more backwards compatible. For 3.0 and earlier there's also a Railscast that teaches how to do something similar to 3.1's scoped attr_accessible.

This comment has been minimized.

Show comment
Hide comment
@damir

damir Mar 10, 2012

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

This SHOULD be protected by default in next release.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

This SHOULD be protected by default in next release.

This comment has been minimized.

Show comment
Hide comment
@damir

damir Mar 10, 2012

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

What about *_ids methods?

Lot of people use attr_protected for keys and flags, simply because it is easier to blacklist a few fields than to withelist the rest.

How many of them ever used *_ids method to be aware of that? This is not even documented at http://guides.rubyonrails.org/security.html#countermeasures.

This comment has been minimized.

Show comment
Hide comment
@Funfun

Funfun Mar 12, 2012

Пойдет

Пойдет

rafaelfranca and others added some commits Mar 4, 2012

Only add the whitelist_attributes option if ActiveRecord is present
Conflicts:

	railties/test/generators/app_generator_test.rb
	railties/test/isolation/abstract_unit.rb
Always passing a respond block from to responder
We should let the responder to decide what to do with the given
overridden response block, and not short circuit it.

Fixes #5280
Merge pull request #5299 from sikachu/3-2-stable-fix-responder
Always passing a respond block from to responder
Merge pull request #5316 from Jacobkg/master
Update ActiveRecord::AttributeMethods#attribute_present? to return false for empty strings
Add tests to test that through associations are not readonly, and we …
…can update the records we retrive from the association
In a nested resource route, the parent resource param is <resource_na…
…me>_id

This fix was made by @coreyhaines on docrails and merged in master.
Cleanly cherry picking into 3-2-stable wasn't possible.
@brianmario

This comment has been minimized.

Show comment
Hide comment
@brianmario

brianmario Mar 9, 2012

Contributor

👍

curious if this will help any regarding brianmario/mysql2#66, brianmario/mysql2#209 or brianmario/mysql2#213

Contributor

brianmario commented on cff19cf Mar 9, 2012

👍

curious if this will help any regarding brianmario/mysql2#66, brianmario/mysql2#209 or brianmario/mysql2#213

This comment has been minimized.

Show comment
Hide comment
@tenderlove

tenderlove Mar 9, 2012

Member

@brianmario I don't think so... I've seen those errors before, but I can't remember exactly the problem. IIRC, it happens if you have a low traffic app where the connection timeout is not long enough, but I can't remember.

@jeremy do you recall issues like these? I seem to remember there was a fix in rails.

Member

tenderlove replied Mar 9, 2012

@brianmario I don't think so... I've seen those errors before, but I can't remember exactly the problem. IIRC, it happens if you have a low traffic app where the connection timeout is not long enough, but I can't remember.

@jeremy do you recall issues like these? I seem to remember there was a fix in rails.

This comment has been minimized.

Show comment
Hide comment
@fxn

fxn Mar 9, 2012

Member

I know of an application that reports lost connections often. It is a busy application (about 40K rpm). A priori seems strange because the connection pool does a mysql_ping on checkout, so you got a successful ping and just milliseconds later the connection is lost (or the server gone, also happens). The MySQL server on the other hand seems to be doing fine.

Not saying it is related to this patch, just a followup.

Member

fxn replied Mar 9, 2012

I know of an application that reports lost connections often. It is a busy application (about 40K rpm). A priori seems strange because the connection pool does a mysql_ping on checkout, so you got a successful ping and just milliseconds later the connection is lost (or the server gone, also happens). The MySQL server on the other hand seems to be doing fine.

Not saying it is related to this patch, just a followup.

pixeltrix and others added some commits Apr 29, 2012

Don't convert params if the request isn't HTML - fixes #5341
(cherry picked from commit 7a80b69)

Conflicts:

	actionpack/test/controller/test_test.rb
Fix the build.
* The method for persisted records in 3-2-branch is 'PUT'
* size is generated by default in inputs
Merge pull request #5922 from rafaelfranca/deprecate_javascript_helpers
Deprecate link_to_function and button_to_function
Add note about using 303 See Other for XHR requests other than GET/POST
IE since version 6 and recently Chrome and Firefox have started following
302 redirects from XHR requests other than GET/POST using the original request
method. This can lead to DELETE requests being redirected amongst other things.

Although it doesn't directly affect the Rails framework since it doesn't return
a 302 redirect to any non-GET/POST request a note has been added to raise
awareness of the issue. Some references:

Original article from @technoweenie:
http://techno-weenie.net/2011/8/19/ie9-deletes-stuff/

Hacker News discussion of the article:
http://news.ycombinator.com/item?id=2903493

WebKit bug report:
https://bugs.webkit.org/show_bug.cgi?id=46183

Firefox bug report and changeset:
https://bugzilla.mozilla.org/show_bug.cgi?id=598304
https://hg.mozilla.org/mozilla-central/rev/9525d7e2d20d

Chrome bug report:
http://code.google.com/p/chromium/issues/detail?id=56373

HTTPbis bug report and changeset:
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160
http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1428

Roy T. Fielding's history of the issue:
http://ftp.ics.uci.edu/pub/ietf/http/hypermail/1997q3/0611.html

Automated browser tests for the issue:
http://www.mnot.net/javascript/xmlhttprequest/

Fixes #4144
(cherry picked from commit 24f1437)
fix the Flash middleware loading the session on every request (very d…
…angerous especially with Rack::Cache), it should only be loaded when the flash method is called
Correcting some confusion. Pago Pago is part of American Samoa, not S…
…amoa.

Further, Samoa and Tokelau jumped across the IDL from Dec 29 to Dec 31, 2011
switching from UTC-11 to UTC+13. American Samoa did not make the change and
remains at UTC-11. Pacific/Fakaofo and Pacific/Apia are in TZInfo and
documentation about the dateline change is in austalasia at IANA.

(cherry picked from commit 1d08ce5)
Merge pull request #6095 from route/assets_precompile_task
Fix that asset precompile didn't respect the index.js convention. Fixes #3993.
Reset the request parameters after a constraints check
A callable object passed as a constraint for a route may access the request
parameters as part of its check. This causes the combined parameters hash
to be cached in the environment hash. If the constraint fails then any subsequent
access of the request parameters will be against that stale hash.

To fix this we delete the cache after every call to `matches?`. This may have a
negative performance impact if the contraint wraps a large number of routes as the
parameters hash is built by merging GET, POST and path parameters.

Fixes #2510.
(cherry picked from commit 5603050)
Add a role option to wrap_parameters.
The role option identifies which parameters are accessible and should be wrapped. The default role is :default.
improvements in "caching_with_rails" guide - backported from docrails
Conflicts:

	railties/guides/source/caching_with_rails.textile
Merge pull request #6158 from Dagnan/3-2-stable
improvements in "caching_with_rails" guide
Merge pull request #4445 from nragaz/role_based_params_wrapping
specify a role for identifying accessible attributes when wrapping params
Merge pull request #6170 from mjtko/feature-beginning_of_hour-for-3-2…
…-stable

Backport beginning and end of hour support for Time and DateTime to 3-2-stable
Add failing test re #3436 which demonstrates content_type is not resp…
…ected when using the :head method/shortcut
Merge pull request #6198 from whistlerbrk/3-2-stable
Address ActionPack head method not respecting explicitly set content-type #3436
Merge pull request #6211 from frodsan/docs_attr_accessor_32stable
Adding docs to attribute accessor methods.

@frodsan frodsan closed this May 8, 2012

@josevalim

This comment has been minimized.

Show comment
Hide comment
@josevalim

josevalim Jun 18, 2012

Contributor

Scumbag @wycats, changes Thor semantically from 0.14 -> 0.15, commits to Rails 3-2-stable saying Thor will guarantee semver. :trollface:

Contributor

josevalim commented on 7dc83f7 Jun 18, 2012

Scumbag @wycats, changes Thor semantically from 0.14 -> 0.15, commits to Rails 3-2-stable saying Thor will guarantee semver. :trollface:

This comment has been minimized.

Show comment
Hide comment
@nikosd

nikosd Oct 27, 2012

What are the chances of bringing this back to 3.1.X? 0%???

What are the chances of bringing this back to 3.1.X? 0%???

This comment has been minimized.

Show comment
Hide comment
@rafaelfranca

rafaelfranca Oct 27, 2012

Member

@nikosd unfortunately none. 3-1-stable is not under maintenance anymore. This branch only accepts security fixes

Member

rafaelfranca replied Oct 27, 2012

@nikosd unfortunately none. 3-1-stable is not under maintenance anymore. This branch only accepts security fixes

This comment has been minimized.

Show comment
Hide comment
@nikosd

nikosd Oct 28, 2012

I imagine that :)

I imagine that :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment